Cybersecurity

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Investigations have begun into a massive ransomware attack that has affected Sri Lanka’s government cloud system, Lanka Government Cloud (LGC).

The investigation is being conducted by the Sri Lanka Computer Emergency Readiness Team and Coordination Center (CERT|CC). Sri Lanka’s Information and Communication Technology Agency (ICTA) confirmed the attack to several local news outlets on September 11, 2023.

The attack likely started on August 26, 2023, when a gov[dot]lk domain user said they had received suspicious links over the past few weeks and that someone may have clicked one.

LGC services and the backup systems were quickly encrypted. Mahesh Perera, CEO at ICTA, estimated all 5000 email addresses using the “gov[dot]lk” email domain, including those used by the Cabinet Office, were affected.

The system and the backup were restored within 12 hours of the attack.

However, since the system didn’t have any backup available for the data spanning May 17 to August 26, 2023, all affected accounts have permanently lost data covering this period.

Concerning Security Failings

Perera told the press that LGC was introduced in 2007 and first used Microsoft Exchange Version 2003, but was updated to Microsoft Exchange Version 2013 in 2014.

“This was in use till the attack. But that version is now obsolete, outdated and vulnerable to various types of attacks,” he said.

Although the Agency had planned to upgrade LGC to the latest version (currently Exchange Server 2019 CU11 Oct21SU) from 2021, the decisions had been delayed due to “fund limitations and certain previous board decisions.,” Perera added.

Following the attack, ICTA has started taking measures to enhance its security, including initiating daily offline backup routines and upgrading the relevant email application to the latest version.

The Sri Lanka CERT|CC is also helping ICTA to retrieve the lost data.

The Sri Lankan government had previously been criticized for failing to efficiently promote serious cybersecurity measures within its public administrations and its private sector.

The country ranks 83rd out of 175 countries in the Estonia-based e-Governance Academy Foundation’s National Cyber Security Index.

The Sri Lankan government unveiled in June 2023 long-delayed cybersecurity legislation – which will introduce its first-ever cybersecurity national authority.